I'm trying to test a batch file that should test for administrator privileges, but I have the weird problem that I can't run it without administrator privileges.
net session >nul 2>&1
if %errorLevel% == 0 (
rem do whatever...
Sure, I can just create another user account and run it from there, but that's a bit much effort just for one little test.
The script example above may not exactly be what I wanted because I need a general solution, for example to test if an installer can run without admin rights.
Is there an easier way? A command line argument for running something without administrator privileges maybe?
BTW, I disabled UAC if that makes any difference.
You can try with
runas /trustlevel:0x20000 "cmd.exe /c ....."
use runas /showtrustlevels to see the available levels
Related
I wrote a little program to automate:
Taking own of a file/folder for a specified User.
Get (for the same User) FULL CONTROL of the file/folder.
Now, it is well know that takeown.exe wants cmd.exe to be run as Administrator rights. So, to do in a batch file (most of the time called from a non-Administrator cmd window), I run:
call runas /noprofile /user:"!domain!\!runasUsr!" "cmd /k takeown /f ""!entity!"" /r"
However, even though I pass as !runAsUsr! a name which is contained in the Administrators Group, I get:
ERROR: the user currently connected does not have the ownership privileges on file/folder ...
I tried setting !runAsUsr! = Administrators, but unfortunately I do not remember the password (if I even set one...). For that, I could change from computer manager (or net command), but I do not well know how that command works, so I wouldn't mess things up.
But still, I do not understand why I get that error since the User I pass is within the Administrators group..
I see from computer manager that default account for computer administration is User:Administrator of the Group:Administrators, so this might be the problem. So, how to set the other account to have same rights?
I also tried
call runas /noprofile /user:"!domain!\Administrator" "cmd /k takeown /f ""!entity!"" /r"
getting following error:
ERROR RUNAS: impossible to execute - cmd /k takeown /f "C:\Program Files\Microsoft VS Code\resources\app\extensions\css" /r
1327: restriction on user account do not allow this user to get access.
For example, empty password field not allowed, access times restrictions or application of restriction criteria.
I have a batch file that starts with elevated privileges (my installer spawns it), but at a certain point I need to run a command as the original user who started my installer (i.e. drop from the elevated privileges).
Is it possible to do so?
You can run a command with restricted privileges with:
runas /trustlevel:0x20000 "YourCommandHere"
You should provide the absolute path to your command including any arguments in double quotes as an argument to runas.
If you would like to run more than one command with restricted privileges, you can put them in a separate batch file and run it with:
runas /trustlevel:0x20000 "cmd /C PathToYourBatchFile"
Anyway, this will open a new console with restricted privileges. You also have to use this syntax whenever you wish to run with restricted privileges an internal command (like copy, del, etc.) as these are provided by the command line interpreter and do not have an associated path.
Note that 0x20000 is the trust level of standard users. You can list other available trust levels by running
runas /showtrustlevels
It's still a privileged program (though restricted) in Task Manager by using this command:
runas /trustlevel:0x20000 <cmd>
You can try the other way, which will make it unprivileged in Task Manager:
runas /savecred /user:%username% <cmd>
You still need to enter the password once but not every time.
Use explorer.exe to launch the program:
explorer.exe <cmd>
explorer.exe won't accept arguments for cmd, but you can create a temp script file and lauch it by explorer.exe if arguments are necessary.
I have written a batch file which starts OpenVPN. If the client is found, I check the connectivity by running PING. If the server is not found, then this means that although OpenVPN is running, the connection has not been established. At this point I want to restart OpenVPN. Because I am not using the admin account for this script, I always get the error "permission denied" when using TASKKILL /F. Is there anyway around this?
There are two methods of running a command with administrator privileges.
Solution 1:
Right-Click the batch-file and click run as admin.
Solution 2:
Use the runas command to run a command or batch file with administrative permissions. This way the process is still automate but you will still need to type in the password for administrator.
Example:
C:\> runas /user:administrator "taskkill /f /im explorer.exe"
Enter the password for administrator:
Type runas /? for more info.
if you are already the administrator, you can create a shortcut to your batch file and when you right click the shortcut -> properties -> advanced -> check the checkbox "run as administrator"
and voila!
everytime you run the batch script via this shortcut file, it will run as administrator and will kill without any discrimination, happily ever after
I am trying to create a batch file to run an unattended installation of Adobe Reader 9 (it is a MSI file)
My problem is with the UAC. If I make a command like this:
msiexec.exe /i "AcroRead.msi" EULA_ACCEPT=1 ALLUSERS=1 /passive
The installation runs fine, except that I have to accept the UAC before it does anything. If I replace the /i with /a, it skips the UAC, and it seems to be installing, but when it finishes, it didn't install the program at all! No error message or nothing, it does not show up on add/remove programs.
Might it be that it installs to the wrong profile if I use the /a switch?
I am very new to scripting, so most of the info I have is what I can scavenge from google.
I know there are ways to disable the UAC from the batch, but if possible I would like to avoid that.
I am doing this on a virtual Win7 x64 sp1 machine.
Any software installation should prompt for admin credentials regardless of whether you launch the installer via the batch script or double-clicking the AcroRead.msi file in Windows Explorer. This is how permission on Windows works, and to be honest, I wouldn't want a system that could be bypassed via a terminal WITHOUT prompting for credentials. I don't believe there's any way around this.
Try removing /passive, since maybe that is suppressing an error message. Also insert a pause statement at the end of your batch script so you can read the error message before the command prompt is closed.
Edit:
Run the batch script as an administrator. This is different than running msiexec with the /a command. This will open the UAC prompt at the beginning of the script, and if authenticated, the rest of the batch file will be run with admin privileges.
/a is not used for a normal installation. It will generate an administrative installation. A "network" installation to allow other users to install from a common repository.
I have a Server 2008 R2 Standard. I need to execute a batch-file using psexec from my PC Win7. The only time this worked is when i disabled the UAC on my server. Deactivating the UAC is out of the question, I'm looking for a solution with UAC enabled.
Error message:
Could not start PSEXESVC service on remotehost:
Access denied.
PS: In my command line of psexec I'm using the administrator user of my server to execute the batch-file. The UAC level is 3 on my server.
Best regards,
Tasso
It took me hours to find a working way to PsExec between two Windows 7 computers with a non-Admin user starting PsExec.
Disabling UAC...
EnableLUA=0
ConsentPromptBehaviorAdmin=0
LocalAccountTokenFilterPolicy=1
...did not work, turning off the firewall did not work.
Here I found the working way - thanks JelmerS (PSexec is not connecting to machine using supplied username and password).
*This is because psexec still tries to access the ADMIN$ share with your local credentials, before executing your command as another user. According to this thread, you can cache credentials before executing psexec:
cmdkey.exe /add:MACHINE_NAME_HERE /user:MACHINE_NAME_HERE\Administrator /pass:PASSWORD_HERE
psexec.exe \\MACHINE_NAME_HERE -i notepad
cmdkey.exe /delete:MACHINE_NAME_HERE*
Best regards, Peter
It seems that running PsExec from a Win7/Win2K8 machine against a Win7/Win2K8 target, regardless of the "-u" and "-p" params on the PsExec command-line,those params are ignored and PsExec is being executed remotely with whatever user credentials we happen to be logged in locally with.
Even though you stating which user account to execute the command on the remote system it executes the psexec command as the user that opened the command window.
When opening the Command Prompt, please right click it and select 'run as Administrator'. Meanwhile, make sure the user has administrator privileges on target PC.
The only solution i see to offer is to use the "Runas" (with the account you will need on the remote system) command to execute PsExec and forget the -u -p params.
In command prompt, you can try as,
echo "password" > pwd
runas /env /netonly /user:domain\Administrator "psexec.exe your_local_program.bat" < pwd
del pwd
Or just:
echo password | runas /env /netonly /user:domain\Administrator "psexec.exe your_local_program.bat"
Moreover....
Don't forget to check your Anti-virus which frequently blocks several of the PStools.